Solved

ASA 5520 xlate

Posted on 2008-10-06
15
2,628 Views
Last Modified: 2013-12-23
I'm replacing an old 2651 with a ASA 5520 with 8.0(3). I'm new at this, but have pieced it together so that it seems to work and test out OK; however, once I place it on my network most users experience symptoms of congestion. If I do a clear xlate it will clear up for a minute or so. Below is the config and output of some commands with only a few clients on--not when the entire network is behind it.

The ASA goes to a Packeteer 7500>Bluecoat Proxy>L3 4503 switch. Proxy and Packeteer are transparent--just for filtering and shaping.



:

ASA Version 8.0(3) 

!

hostname XYZABC

domain-name AAA

enable password X1ukmNQg/PUDAkLR encrypted

names

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address xx.xxx.xx.93 255.255.255.240 

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 nameif inside

 security-level 100

 ip address 10.0.0.1 255.255.255.240 

!

interface GigabitEthernet0/2.110

 description Main Office Interface

 vlan 11

 nameif Main

 security-level 100

 ip address 10.6.0.3 255.255.255.224 

!

interface GigabitEthernet0/2.120

 description CW Interface

 vlan 12

 nameif CW

 security-level 100

 ip address 10.6.0.35 255.255.255.240 

!

interface GigabitEthernet0/2.130

 description HN Interface

 vlan 13

 nameif HN

 security-level 100

 ip address 10.6.1.3 255.255.255.248 

!

interface GigabitEthernet0/2.140

 description TMDE Interface

 vlan 14

 nameif TMDE

 security-level 100

 ip address 10.6.3.3 255.255.255.240 

!

interface GigabitEthernet0/2.200

 description Standard Interface

 vlan 2

 nameif Standard

 security-level 100

 ip address 10.1.0.3 255.255.128.0 

!

interface GigabitEthernet0/2.300

 description VOIP Interface

 vlan 3

 nameif VOIP

 security-level 100

 ip address 10.4.0.3 255.255.128.0 

!

interface GigabitEthernet0/2.500

 description Corporate Interface

 vlan 5

 nameif Corporate

 security-level 100

 ip address 10.3.0.3 255.255.240.0 

!

interface GigabitEthernet0/2.600

 description Equipment Interface

 vlan 6

 nameif Equipment

 security-level 100

 ip address 10.5.0.3 255.255.252.0 

!

interface GigabitEthernet0/2.700

 description Staff Interface

 vlan 7

 nameif Staff

 security-level 100

 ip address 10.6.2.3 255.255.255.192 

!

interface GigabitEthernet0/3

 description DMZ Interface

 nameif DMZ

 security-level 40

 ip address 10.10.10.1 255.255.255.240 

!

interface Management0/0

 nameif MGT

 security-level 100

 ip address 172.16.0.1 255.255.255.240 

 management-only

!

passwd 0jESGTKLXB.nb7sY encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name aaa

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat_outbound extended permit ip host 10.0.0.9 10.10.10.0 255.255.255.240 

pager lines 24

logging enable

logging asdm informational

mtu MGT 1500

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu Standard 1500

mtu VOIP 1500

mtu Corporate 1500

mtu Equipment 1500

mtu Staff 1500

mtu Main 1500

mtu CW 1500

mtu HN 1500

mtu TMDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 77.246.72.87 netmask 255.0.0.0

global (outside) 101 77.246.72.88 netmask 255.0.0.0

global (outside) 101 77.246.72.85 netmask 255.0.0.0

global (outside) 101 77.246.72.86 netmask 255.0.0.0

global (outside) 101 77.246.72.89 netmask 255.0.0.0

global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0

nat (inside) 202 access-list inside_nat_outbound

nat (inside) 101 10.6.1.0 255.255.255.248

nat (inside) 101 10.6.0.32 255.255.255.240

nat (inside) 101 10.6.3.0 255.255.255.240

nat (inside) 101 10.6.0.0 255.255.255.224

nat (inside) 101 10.6.2.0 255.255.255.192

nat (inside) 101 10.5.0.0 255.255.252.0

nat (inside) 101 10.3.0.0 255.255.240.0

nat (inside) 101 10.1.0.0 255.255.128.0

static (DMZ,outside) 77.246.72.90 10.10.10.6 netmask 255.255.255.255 

static (DMZ,outside) 77.246.72.83 10.10.10.5 netmask 255.255.255.255 

static (DMZ,outside) 77.246.72.84 10.10.10.3 netmask 255.255.255.255 

route outside 0.0.0.0 0.0.0.0 77.246.72.81 1

route inside 10.1.0.0 255.255.128.0 10.0.0.2 1

route inside 10.3.0.0 255.255.240.0 10.0.0.2 1

route inside 10.5.0.0 255.255.252.0 10.0.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.10.9 255.255.255.255 DMZ

http 10.0.0.9 255.255.255.255 inside

http 172.16.0.0 255.255.255.248 MGT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 172.16.0.2 255.255.255.255 MGT

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.16.0.2-172.16.0.6 MGT

dhcpd dns 198.6.1.5 interface MGT

dhcpd enable MGT

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:9c577be224a2cb3c98f0e7ecd797436e

: end

xyzabc# sh xlate

3 in use, 2070 most used

Global XX.XXX.XX.90 Local 10.10.10.6

Global XX.XXX.XX.83 Local 10.10.10.5

Global XX.XXX.XX.84 Local 10.10.10.3

xyzabc# sh xlate

11 in use, 2070 most used

Global XXX.XXX.XX.90 Local 10.10.10.6

Global XX.XXX.XX.83 Local 10.10.10.5

Global XX.XXX.XX.84 Local 10.10.10.3

PAT Global XXX.XXX.XX.87(1063) Local 10.1.0.9(3552) 

PAT Global XXX.XXX.XX.87(1059) Local 10.1.0.9(58957) 

PAT Global XXX.XXX.XX.87(1062) Local 10.1.0.9(3551) 

PAT Global XXX.XXX.XX.87(1058) Local 10.1.0.9(57605) 

PAT Global XXX.XXX.XX.87(1061) Local 10.1.0.9(3550) 

PAT Global XXX.XXX.XX.87(1057) Local 10.1.0.9(54839) 

PAT Global XXX.XXX.XX.87(1060) Local 10.1.0.9(3549) 

PAT Global XXX.XXX.XX.87(1056) Local 10.1.0.9(49867) 

xyzabc# sh route
 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route
 

Gateway of last resort is XX.XXX.XX.81 to network 0.0.0.0
 

C    172.16.0.0 255.255.255.240 is directly connected, MGT

C    XX.XXX.XX.80 255.255.255.240 is directly connected, outside

C    10.3.0.0 255.255.240.0 is directly connected, Corporate

C    10.0.0.0 255.255.255.240 is directly connected, inside

C    10.10.10.0 255.255.255.240 is directly connected, DMZ

C    10.1.0.0 255.255.128.0 is directly connected, Standard

C    10.6.0.0 255.255.255.224 is directly connected, Main

C    10.6.1.0 255.255.255.248 is directly connected, HN

C    10.6.2.0 255.255.255.192 is directly connected, Staff

C    10.4.0.0 255.255.128.0 is directly connected, VOIP

C    10.6.3.0 255.255.255.240 is directly connected, TMDE

C    10.5.0.0 255.255.252.0 is directly connected, Equipment

C    10.6.0.32 255.255.255.240 is directly connected, CW

S*   0.0.0.0 0.0.0.0 [1/0] via 77.246.72.81, outside

xyzabc# sh conn

6 in use, 4255 most used

TCP out 75.65.216.108:6667 in 10.10.10.6:1225 idle 0:00:02 bytes 2284506 flags UIO

TCP out 74.125.95.102:80 in 10.1.0.9:3552 idle 0:00:03 bytes 762 flags UFRIO

TCP out 207.46.192.254:80 in 10.1.0.9:3549 idle 0:00:35 bytes 1582 flags UIO

WISP-ASA# sh perfmon
 

PERFMON STATS:    Current      Average

Xlates               0/s          0/s

Connections          0/s          0/s

TCP Conns            0/s          0/s

UDP Conns            0/s          0/s

URL Access           0/s          0/s

URL Server Req       0/s          0/s

TCP Fixup            0/s          0/s

TCP Intercept        0/s          0/s

HTTP Fixup           0/s          0/s

FTP Fixup            0/s          0/s

AAA Authen           0/s          0/s

AAA Author           0/s          0/s

AAA Account          0/s          0/s

xyzabc# sh int

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

	MAC address 001e.f762.9570, MTU 1500

	IP address XX.XXX.XX.93, subnet mask 255.255.255.240

	1881799 packets input, 1319211423 bytes, 0 no buffer

	Received 23725 broadcasts, 0 runts, 0 giants

	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

	0 L2 decode drops

	1181707 packets output, 177008162 bytes, 0 underruns

	0 output errors, 0 collisions, 6 interface resets

	0 late collisions, 0 deferred

	0 input reset drops, 0 output reset drops

	input queue (curr/max packets): hardware (0/17) software (0/0)

	output queue (curr/max packets): hardware (0/6) software (0/0)

  Traffic Statistics for "outside":

	18179 packets input, 9086736 bytes

	11112 packets output, 813789 bytes

	3433 packets dropped

      1 minute input rate 0 pkts/sec,  231 bytes/sec

      1 minute output rate 0 pkts/sec,  16 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  387 bytes/sec

      5 minute output rate 0 pkts/sec,  36 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface GigabitEthernet0/1 "", is administratively down, line protocol is down

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	Auto-Duplex, Auto-Speed

	Available but not configured via nameif

	MAC address 001e.f762.9571, MTU not set

	IP address unassigned

	0 packets input, 0 bytes, 0 no buffer

	Received 0 broadcasts, 0 runts, 0 giants

	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

	0 L2 decode drops

	0 packets output, 0 bytes, 0 underruns

	0 output errors, 0 collisions, 0 interface resets

	0 late collisions, 0 deferred

	0 input reset drops, 0 output reset drops

	input queue (curr/max packets): hardware (0/0) software (0/0)

	output queue (curr/max packets): hardware (0/0) software (0/0)

Interface GigabitEthernet0/2 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.0.0.1, subnet mask 255.255.255.240

	1152565 packets input, 177452838 bytes, 0 no buffer

	Received 49251 broadcasts, 0 runts, 0 giants

	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

	0 L2 decode drops

	1645918 packets output, 1061022910 bytes, 7 underruns

	0 output errors, 324 collisions, 10 interface resets

	0 late collisions, 15 deferred

	0 input reset drops, 0 output reset drops

	input queue (curr/max packets): hardware (3/33) software (0/0)

	output queue (curr/max packets): hardware (0/5) software (0/0)

  Traffic Statistics for "inside":

	5895 packets input, 639799 bytes

	5611 packets output, 4809065 bytes

	1093 packets dropped

      1 minute input rate 0 pkts/sec,  4 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  37 bytes/sec

      5 minute output rate 0 pkts/sec,  245 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface GigabitEthernet0/2.110 "Main", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 11

	Description: Main Office Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.6.0.3, subnet mask 255.255.255.224

  Traffic Statistics for "Main":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.120 "CW", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 12

	Description: CW Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.6.0.35, subnet mask 255.255.255.240

  Traffic Statistics for "CW":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.130 "HN", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 13

	Description: HN Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.6.1.3, subnet mask 255.255.255.248

  Traffic Statistics for "HN":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.140 "TMDE", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 14

	Description: TMDE Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.6.3.3, subnet mask 255.255.255.240

  Traffic Statistics for "TMDE":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.200 "Standard", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 2

	Description: Standard Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.1.0.3, subnet mask 255.255.128.0

  Traffic Statistics for "Standard":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.300 "VOIP", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 3

	Description: VOIP Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.4.0.3, subnet mask 255.255.128.0

  Traffic Statistics for "VOIP":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.500 "Corporate", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 5

	Description: Corporate Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.3.0.3, subnet mask 255.255.240.0

  Traffic Statistics for "Corporate":

	1 packets input, 40 bytes

	1 packets output, 40 bytes

	1 packets dropped

Interface GigabitEthernet0/2.600 "Equipment", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 6

	Description: Equipment Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.5.0.3, subnet mask 255.255.252.0

  Traffic Statistics for "Equipment":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/2.700 "Staff", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	VLAN identifier 7

	Description: Staff Interface

	MAC address 001e.f762.9572, MTU 1500

	IP address 10.6.2.3, subnet mask 255.255.255.192

  Traffic Statistics for "Staff":

	0 packets input, 0 bytes

	0 packets output, 0 bytes

	0 packets dropped

Interface GigabitEthernet0/3 "DMZ", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

	Description: DMZ Interface

	MAC address 001e.f762.9573, MTU 1500

	IP address 10.10.10.1, subnet mask 255.255.255.240

	1116010 packets input, 79427748 bytes, 8440 no buffer

	Received 7009 broadcasts, 0 runts, 0 giants

	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

	0 L2 decode drops

	1081713 packets output, 179228376 bytes, 4639 underruns

	0 output errors, 0 collisions, 5 interface resets

	0 late collisions, 0 deferred

	0 input reset drops, 0 output reset drops

	input queue (curr/max packets): hardware (1/33) software (0/0)

	output queue (curr/max packets): hardware (0/3) software (0/0)

  Traffic Statistics for "DMZ":

	6794 packets input, 1070221 bytes

	9756 packets output, 3530205 bytes

	729 packets dropped

      1 minute input rate 0 pkts/sec,  10 bytes/sec

      1 minute output rate 0 pkts/sec,  131 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  7 bytes/sec

      5 minute output rate 0 pkts/sec,  96 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Management0/0 "MGT", is up, line protocol is up

  Hardware is i82557, BW 100 Mbps, DLY 100 usec

	Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

	MAC address 001e.f762.956f, MTU 1500

	IP address 172.16.0.1, subnet mask 255.255.255.240

	69436 packets input, 4754010 bytes, 0 no buffer

	Received 1777 broadcasts, 0 runts, 0 giants

	23 input errors, 0 CRC, 0 frame, 23 overrun, 0 ignored, 0 abort

	0 L2 decode drops

	60385 packets output, 21204383 bytes, 0 underruns

	0 output errors, 0 collisions, 0 interface resets

	0 babbles, 0 late collisions, 0 deferred

	0 lost carrier, 0 no carrier

	input queue (curr/max packets): hardware (0/1) software (103/187)

	output queue (curr/max packets): hardware (128/128) software (5848/5848)

  Traffic Statistics for "MGT":

	69196 packets input, 3441005 bytes

	66244 packets output, 20346909 bytes

	11197 packets dropped

      1 minute input rate 82 pkts/sec,  3327 bytes/sec

      1 minute output rate 91 pkts/sec,  4386 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 4 pkts/sec,  214 bytes/sec

      5 minute output rate 3 pkts/sec,  862 bytes/sec

      5 minute drop rate, 0 pkts/sec

	Management-only interface. Blocked 5390 through-the-device packets

Open in new window

0
Comment
Question by:demetri08
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
a cisco 2651 is a router, an asa is a security device or firewall, you maybe using device as a router in which it is not made to be a router or handle that type of traffic.
You should replace you 2651 router with another router in front of your firewall.
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
just my 2 cents.
0
 

Author Comment

by:demetri08
Comment Utility
understood, but the ASA should be capable of the routing and NATing required to take over the functions of the existing router.....
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Suggest re-doing the nat and globals

---- current ----
global (outside) 101 77.246.72.87 netmask 255.0.0.0
global (outside) 101 77.246.72.88 netmask 255.0.0.0
global (outside) 101 77.246.72.85 netmask 255.0.0.0
global (outside) 101 77.246.72.86 netmask 255.0.0.0
global (outside) 101 77.246.72.89 netmask 255.0.0.0
global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0
nat (inside) 202 access-list inside_nat_outbound
nat (inside) 101 10.6.1.0 255.255.255.248
nat (inside) 101 10.6.0.32 255.255.255.240
nat (inside) 101 10.6.3.0 255.255.255.240
nat (inside) 101 10.6.0.0 255.255.255.224
nat (inside) 101 10.6.2.0 255.255.255.192
nat (inside) 101 10.5.0.0 255.255.252.0
nat (inside) 101 10.3.0.0 255.255.240.0
nat (inside) 101 10.1.0.0 255.255.128.0


---- proposed ----I hope you see the pattern and understand that there is a nat to match each global, and nat is attached to the appropriate interface

global (outside) 101 77.246.72.87
global (outside) 102 77.246.72.88
global (outside) 103 77.246.72.85
global (outside) 104 77.246.72.86
global (outside) 105 77.246.72.89
global (ourside) 100 interface
global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0
nat (inside) 202 access-list inside_nat_outbound
nat (CW 101 10.6.1.0 255.255.255.248
nat ( ?? ) 102 10.6.0.32 255.255.255.240
nat (TMDE) 103 10.6.3.0 255.255.255.240
nat (Main) 104 10.6.0.0 255.255.255.224
nat (Staff) 105 10.6.2.0 255.255.255.192
nat (Equipment) 100 10.5.0.0 255.255.252.0
nat (Corporate) 100 10.3.0.0 255.255.240.0
nat (Standard) 100 10.1.0.0 255.255.128.0
0
 

Author Comment

by:demetri08
Comment Utility
OK, did that and will try it out soon. any other areas of the config that would be advisable to re-do? Thanks....
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I hope your transparent proxy and the Packeteer support trunking through them and can see all of the vlans.

You have static routes to networks that are directly connected. You can remove these
route inside 10.1.0.0 255.255.128.0 10.0.0.2 1
route inside 10.3.0.0 255.255.240.0 10.0.0.2 1
route inside 10.5.0.0 255.255.252.0 10.0.0.2 1

To route between interfaces you going to have to disable nat control
  no nat-control

0
 

Author Comment

by:demetri08
Comment Utility
for the networks that are 'directly connected' they are actually vlans that are directly connected to the 4503 which is 10.0.0.2 (in the native vlan for the Inside interface of the ASA). i thought this was required for routes that are not directly connected. i'm clearly not understanding this...also, when i try to remove them, it says i connot remove a route that is directly connected...
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you have an interface, such as vlan subifs on the asa, you should not add static routes pointing those networks to somewhere else.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
That's correct. The ASA can have several different kinds of routes and it determines which one to use first for a particular location based on its "administrative distance" (which basically means reliability). When you have a network that is defined on the ASA (such as a VLAN or subinterface), that is counted as a CONNECTED (or local) route. Other types such as static and others fall into place after this. If you have a network defined in one of the above ways, it has a route in the ASA by default.
You can view currently active routes by running a sh route command.
Cheers! Let me know if you have any questions!
0
 

Author Comment

by:demetri08
Comment Utility
OK. I originally had the networks configured as static routes back to 10.0.0.2, the gateway for them--and I did not have them configured as VLANs/subinterfaces. I made that change after seeing a large number of L2 decode drops on the Inside interface. So, I'll keep them as vlans and remove the routes I added....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Cool! Any questions?
0
 

Author Comment

by:demetri08
Comment Utility
i did everything advised, but still had issues when i connected it to the transparent bandwidth manager/proxy and 4503 L3 Switch. I now have it connected to the switch directly and am using a test subnet to try and troubleshoot. I set different macs or each vlan/subinterface on g 0/2. This impacted it, as i immediately saw more hosts/broadcats on the asdm log. any way to check whether my switch supports the sharing of one mac for multiple vlans? also, must i have security license plus to support mode? with the subinterfaces configured as they are it has the correct native vlan and all other vlans match up. however, i guess this won't do much if it doesn't trunk/tag the vlans. thanks in advance....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
which switch is it?
Also, 5520 doesn't have a security plus license - those features are already there.
As far as VLANs and subinterfaces on the ASA go, it's usually easier to have as few as possible interfaces on the ASA (use VLANs only for traffic management such as DMZ/inside/etc) because it causes complications.
Try to put all of your VLANs on your switches only and then either put in static routes on the ASA for those VLANs or run a dynamic routing protocol like EIGRP, OSPF, or RIP.
V. 8.x of ASA software will run those protocols, 7.x will only run RIP and OSPF.
Cheers! Let me know if you have any questions!
 
0
 

Author Comment

by:demetri08
Comment Utility
ok I'll try that now. I had it that way before, but i was getting a large amount of L2 decode errors. Any insight as to why that would be? they were all errors on the Inside interface (inside=physical interface where all the vlans were setup as subinterfaces).

0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Hmmm... interference with the cables maybe? Bad cables? Duplex mismatches?
What kind of switch?
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Resolve DNS query failed errors for Exchange
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now